Azure AD¶
About¶
A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.
The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks. Azure AD Domain Services enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers. Provide highly secure digital experiences for partners, customers, citizens, patients, or any users outside your organization with customization controls. Combine user directories in one portal to seamlessly manage access across the organization.
Product Details¶
Vendor URL: Azure AD
Product Type: Authentication
Product Tier: Tier II
Integration Method: Custom
Integration URL: Azure AD - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Above 90%
Data Label: AZURE_AD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| description | metadata.description |
| GENERIC_EVENT | metadata.event_type |
| GROUP_MODIFICATION | metadata.event_type |
| USER_CHANGE_PASSWORD | metadata.event_type |
| USER_CHANGE_PERMISSIONS | metadata.event_type |
| USER_LOGIN | metadata.event_type |
| USER_UNCATEGORIZED | metadata.event_type |
| product_event | metadata.product_event_type |
| summary | metadata.product_event_type |
| product | metadata.product_name |
| version | metadata.product_version |
| vendor | metadata.vendor_name |
| user_agent | network.http.user_agent |
| observer_domain | observer.administrative_domain |
| observer_hostname | observer.hostname |
| observer | observer.ip |
| principal_domain | principal.administrative_domain |
| principal_app | principal.application |
| initiatedBy.user.ipAddress | principal.asset.ip |
| principal_os | principal.asset.platform_software.platform |
| azureTenantId | principal.group.product_object_id |
| principal_hostname | principal.hostname |
| principal | principal.ip |
| userStates.0.userPrincipalName | principal.user.email_addresses |
| principal_user | principal.user.userid |
| properties.initiatedBy.user.id | principal.user.windows_sid |
| ALERTING | security_result.alert_state |
| HIGH_CONFIDENCE | security_result.confidence |
| HIGH_PRIORITY | security_result.priority |
| INFORMATIONAL | security_result.severity |
| LOW | security_result.severity |
| MEDIUM | security_result.severity |
| summary | security_result.summary |
| target_domain | target.administrative_domain |
| target_app | target.application |
| targetResources.0.displayName | target.asset.hostname |
| target | target.hostname |
| target | target.ip |
| identity | target.user.user_display_name |
| target_user | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Update group | GROUP_MODIFICATION |
| login-event,login-success,login-failed | USER_LOGIN |
| password-changed-success,password-changed-failed,password-changed,Change user password | USER_CHANGE_PASSWORD |
| Update user, user-updated | USER_UNCATEGORIZED |
| Add member to group | USER_CHANGE_PERMISSIONS |
| all others | GENERIC_EVENT |
Log Sample¶
{"riskLevelDuringSignIn":"none","riskState":"none","riskEventTypes":[],"appliedConditionalAccessPolicies":[{"displayName":"CA001: Require multi-factor authentication for admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"result":"success","id":"2e6d9c3b-681e-4725-883e-ac93a7e2ac16"},{"id":"6688edac-8260-405f-9b0e-f1cb5d82e9a6","displayName":"CA006: Require multi-factor authentication for Azure management","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"result":"success"},{"result":"reportOnlyNotApplied","id":"419ca737-9549-4c37-b6ce-0ee7c5b43a0b","displayName":"CA003: Block legacy authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[]}],"userPrincipalName":"john.doe@domain.com","appDisplayName":"Azure Portal","isInteractive":true,"createdDateTime":"2022-04-20T13:02:00Z","riskLevelAggregated":"none","status":{"errorCode":0,"failureReason":"Other.","additionalDetails":null},"appId":"c44b4083-3bb0-49c1-b47d-974e53cbdf3c","clientAppUsed":"Browser","correlationId":"d47d29ff-c971-47fa-8034-e9a0e1fd4fff","riskDetail":"none","riskEventTypes_v2":[],"id":"346909c4-014f-46b3-b171-dda0ecaf1f00","userDisplayName":"Doe, John","userId":"34a103c1-17bc-4720-bc1d-34b210ad756e","deviceDetail":{"isManaged":true,"trustType":"Hybrid Azure AD joined","deviceId":"{PII Removed}","displayName":"{PII Removed}","operatingSystem":"Windows 10","browser":"Chrome 100.0.4896","isCompliant":true},"resourceId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","location":{"city":"Best City","state":"State","countryOrRegion":"US","geoCoordinates":{"latitude":42.38296,"longitude":-71.09557,"altitude":null}},"ipAddress":"10.2.4.2","conditionalAccessStatus":"success","resourceDisplayName":"Windows Azure Service Management API"}
Sample Parsing¶
metadata.product_log_id: "346909c4-014f-46b3-b171-dda0ecaf1f00"
metadata.event_timestamp: 2022-04-20T13:02:00Z
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Microsoft"
metadata.product_name: "Azure AD"
principal.hostname: "{PII Removed}"
principal.user.userid: "john.doe@domain.com"
principal.user.user_display_name: "Doe, John"
principal.user.email_addresses: "john.doe@domain.com"
principal.ip: "10.2.4.2"
principal.platform: WINDOWS
principal.platform_version: "Windows 10"
principal.location.city: "Best City"
principal.location.state: "State"
principal.location.country_or_region: "US"
target.user.application: "Azure Portal"
security_result.outcomes.key: "CA001: Require multi-factor authentication for admins"
security_result.outcomes.value: "success"
security_result.outcomes.key: "CA006: Require multi-factor authentication for Azure management"
security_result.outcomes.value: "success"
security_result.summary: "Successful login occurred"
security_result.action: ALLOW
network.http.user_agent: "Chrome 100.0.4896"
Parser Alerting¶
| loglevel | sec_result.severity | security_action | is_alert |
|---|---|---|---|
| (blank) | INFORMATIONAL | ALLOW | |
| (1), (2), (Unknown) | INFORMATIONAL | ALLOW | |
| (3), (4) | LOW | ALLOW | |
| (5), (6) | MEDIUM | ALLOW | |
| High | HIGH | BLOCK | Y |
| Error | ERROR | BLOCK | Y |
| Critical | CRITICAL | BLOCK | Y |
Rules¶
Coming Soon